The information in this document was created from the devices in a
specific lab environment. All of the devices used in this document started with
a cleared (default) configuration. If your network is live, make sure that you
understand the potential impact of any command.

Security features in a wireless network, such as WEP, are weak. The
Wi-Fi Alliance (or WECA) industry group devised a next-generation, interim
security standard for wireless networks. The standard provides defense against
weaknesses until the IEEE organization ratifies the 802.11i standard.

This new scheme builds on current EAP/802.1x authentication and dynamic
key management, and adds stronger cipher encryption. After the client device
and the authentication server make an EAP/802.1x association, WPA key
management is negotiated between the AP and the WPA-compliant client device.

Cisco AP products also provide for a hybrid configuration in which both
legacy WEP-based EAP clients (with legacy or no key management) work in
conjunction with WPA clients. This configuration is referred to as migration
mode. Migration mode allows for a phased approach to migrate to WPA. This
document does not cover migration mode. This document provides an outline for a
pure WPA-secured network.

In addition to enterprise- or corporate-level security concerns, WPA
also provides a Pre-Shared Key version (WPA-PSK) that is intended for use in
small office, home office (SOHO) or home wireless networks. Cisco Aironet
Client Utility (ACU) does not support WPA-PSK. The Wireless Zero Configuration
utility from Microsoft Windows supports WPA-PSK for most wireless cards, as do
these utilities:

Note: This section provides only the configuration that is relevant to
WPA-PSK. The configuration in this section is only to give you an understanding
on how to enable WPA-PSK and is not the focus of this document. This document
explains how to configure WPA.

WPA builds on the current EAP/802.1x methods. This document assumes
that you have a Light EAP (LEAP), EAP, or Protected EAP (PEAP) configuration
that works before you add the configuration in order to engage WPA.

This section presents the information to configure the features
described in this document.

In any EAP/802.1x-based authentication method, you may question what
the differences are between Network-EAP and Open authentication with EAP. These
items refer to values in the Authentication Algorithm field in the headers of
management and association packets. Most manufacturers of wireless clients set
this field at the value 0 (Open authentication), and then signal their desire
to do EAP authentication later in the association process. Cisco sets the value
differently, from the start of association with the Network EAP flag.

Use the authentication method that this list indicates if your network
has clients that are:

Base this decision on the type of client cards that you use. See
the Network EAP or Open Authentication with EAP
section of this document for more information. If EAP worked before the
addition of WPA, a change is probably not necessary.

show dot11 association
mac_address—This command displays
information about a specifically identified associated client. Verify that the
client negotiates Key Management as WPA and Encryption as
TKIP.

The Association table entry for a particular client must also
indicate Key Management as WPA and Encryption as
TKIP. In the Association table, click a particular MAC address
for a client in order to see the details of the association for that
client.

WPA key management involves a four-way handshake after EAP
authentication successfully completes. You can see these four messages in
debugs. If EAP does not successfully authenticate the client or if you do not
see the messages, complete these steps:

Temporarily disable WPA.

Reenable the appropriate EAP.

Confirm that the authentication works.

This list describes the debugs:

debug dot11 aaa manager keys—This debug
shows the handshake that happens between the AP and the WPA client as the
pairwise transient key (PTK) and group transient key (GTK) negotiate. This
debug was introduced in Cisco IOS Software Release 12.2(15)JA.

The terminal monitor term mon is enabled
(if you use a Telnet session).

The debugs are enabled.

The client is appropriately configured for
WPA.

If the debug shows that PTK and/or GTK handshakes are built but not
verified, check the WPA supplicant software for the correct configuration and
up-to-date version.

debug dot11 aaa authenticator
state-machine—This debug shows the various states of negotiations
that a client goes through as it associates and authenticates. The state names
indicate these states. This debug was introduced in Cisco IOS Software Release
12.2(15)JA. The debug obsoletes the debug dot11 aaa dot1x
state-machine command in Cisco IOS Software Release 12.2(15)JA
and later.

debug dot11 aaa dot1x state-machine—This
debug shows the various states of negotiations that a client goes through as it
associates and authenticates. The state names indicate these states. In Cisco
IOS Software releases that are earlier than Cisco IOS Software Release
12.2(15)JA, this debug also shows the WPA key management
negotiation.

debug dot11 aaa authenticator process—This
debug is most helpful to diagnose problems with negotiated communications. The
detailed information shows what each participant in the negotiation sends and
shows the response of the other participant. You can also use this debug in
conjunction with the debug radius authentication
command. This debug was introduced in Cisco IOS Software Release 12.2(15)JA.
The debug obsoletes the debug dot11 aaa dot1x
process command in Cisco IOS Software Release 12.2(15)JA and
later.

debug dot11 aaa dot1x process—This debug
is helpful to diagnose problems with negotiated communications. The detailed
information shows what each participant in the negotiation sends and shows the
response of the other participant. You can also use this debug in conjunction
with the debug radius authentication command. In
Cisco IOS Software releases that are earlier than Cisco IOS Software Release
12.2(15)JA, this debug shows the WPA key management
negotiation.